I understand that puppet needs port 8140 tcp/udp open for server and client. Will puppet work if a firewall is set up between these two hosts that only allows traffic from the server to the client (server -> client), or is two communication required? Thanks for the help, -JoE -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=.
On Thu, Nov 19, 2009 at 3:12 PM, JoE <joehillen@gmail.com> wrote:> I understand that puppet needs port 8140 tcp/udp open for server and > client. > > Will puppet work if a firewall is set up between these two hosts that > only allows traffic from the server to the client (server -> client), > or is two communication required? > > Thanks for the help, > > -JoE > > -- > > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=. > > >I am a new user to Puppet but I was going to tackle this issue with a SSH tunnel but it would be good to hear other peoples thoughts on this.. Thanks, Will -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=.
Thomas Bellman
2009-Nov-19 15:17 UTC
Re: [Puppet Users] Firewall between master and client?
JoE wrote:> I understand that puppet needs port 8140 tcp/udp open for server and > client. > > Will puppet work if a firewall is set up between these two hosts that > only allows traffic from the server to the client (server -> client), > or is two communication required?It''s the other way around: the client needs to be able to contact the master on port 8140. You only need to be able to connect to the client if you want to trigger runs with puppetrun. /Bellman -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=.
Christopher Webber
2009-Nov-19 15:17 UTC
Re: [Puppet Users] Firewall between master and client?
No. The client pulls down the config, initiating the session. -- cwebber On Nov 19, 2009, at 7:12 AM, JoE wrote:> I understand that puppet needs port 8140 tcp/udp open for server and > client. > > Will puppet work if a firewall is set up between these two hosts that > only allows traffic from the server to the client (server -> client), > or is two communication required? > > Thanks for the help, > > -JoE > > -- > > You received this message because you are subscribed to the Google > Groups "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > For more options, visit this group at http://groups.google.com/group/puppet-users?hl= > . > >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=.
> Will puppet work if a firewall is set up between these two hosts that > only allows traffic from the server to the client (server -> client), > or is two communication required?actually communication from the client to the server is the only thing that is required for the standard setup. puppet is pulling its catalog from the master. cheers pete -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=.
Depends, really, on your firewall and what you want to accomplish. Your clients need to be able to initialize connections to the server''s port 8140 (TCP). Your server needs to be able to reply from its TCP 8140 back to the client, but does not need to initiate connections. If you want to push changes out via puppetrun, you need to have the server able to initiate connections on the client''s TCP 8139, and to have your clients reply to the server from their TCP 8139. If you''re looking at connection states, on iptables, you want: -s CLIENT -d SERVER -m state --state NEW,ESTABLISHED,RELATED -p TCP -- dport 8140 -j ACCEPT -s SERVER -d CLIENT -m state --state ESTABLISHED,RELATED -p TCP -- sport 8140 -j ACCEPT -s CLIENT -d SERVER -m state --state ESTABLISHED,RELATED -p TCP -- sport 8139 -j ACCEPT -s SERVER -d CLIENT -m state --state NEW,ESTABLISHED,RELATED -p TCP -- dport 8139 -j ACCEPT Your version of iptables may have some variance to the above, but, that should get you pointed in the right direction. Hope that helps a bit. On Nov 19, 10:17 am, william pink <will.p...@gmail.com> wrote:> On Thu, Nov 19, 2009 at 3:12 PM, JoE <joehil...@gmail.com> wrote: > > I understand that puppet needs port 8140 tcp/udp open for server and > > client. > > > Will puppet work if a firewall is set up between these two hosts that > > only allows traffic from the server to the client (server -> client), > > or is two communication required? > > > Thanks for the help, > > > -JoE > > > -- > > > You received this message because you are subscribed to the Google Groups > > "Puppet Users" group. > > To post to this group, send email to puppet-users@googlegroups.com. > > For more options, visit this group at > >http://groups.google.com/group/puppet-users?hl=. > > I am a new user to Puppet but I was going to tackle this issue with a SSH > tunnel but it would be good to hear other peoples thoughts on this.. > > Thanks, > Will-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=.
2009/11/20 zoniguana <rjustinwilliams@gmail.com>> Depends, really, on your firewall and what you want to accomplish. > Your clients need to be able to initialize connections to the server''s > port 8140 (TCP). > Your server needs to be able to reply from its TCP 8140 back to the > client, but does not need to initiate connections. > If you want to push changes out via puppetrun, you need to have the > server able to initiate connections on the client''s TCP 8139, and to > have your clients reply to the server from their TCP 8139. > > Hi,Does it mean it''s not possible to tunnel both 8139 and 8140 connections into an SSH connection ? regards -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=.
James Turnbull
2009-Nov-22 11:00 UTC
Re: [Puppet Users] Re: Firewall between master and client?
> Does it mean it''s not possible to tunnel both 8139 and 8140 connections into > an SSH connection ? >Should be feasible or you could do it through a simple VPN. Can''t speak to the performance of the solution though - I''d recommend if you''re doing file serving to use a 0.25.x setup. Regards James Turnbull -- Author of: * Pro Linux System Administration (http://tinyurl.com/linuxadmin) * Pulling Strings with Puppet (http://tinyurl.com/pupbook) * Pro Nagios 2.0 (http://tinyurl.com/pronagios) * Hardening Linux (http://tinyurl.com/hardeninglinux) -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=.
Silviu Paragina
2009-Nov-27 17:31 UTC
Re: [Puppet Users] Re: Firewall between master and client?
On 22.11.2009 09:58, Olivier wrote:> > 2009/11/20 zoniguana <rjustinwilliams@gmail.com > <mailto:rjustinwilliams@gmail.com>> > > Depends, really, on your firewall and what you want to accomplish. > Your clients need to be able to initialize connections to the server''s > port 8140 (TCP). > Your server needs to be able to reply from its TCP 8140 back to the > client, but does not need to initiate connections. > If you want to push changes out via puppetrun, you need to have the > server able to initiate connections on the client''s TCP 8139, and to > have your clients reply to the server from their TCP 8139. > > Hi, > > Does it mean it''s not possible to tunnel both 8139 and 8140 > connections into an SSH connection ? > > regards > > -- > > You received this message because you are subscribed to the Google > Groups "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscribe@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=.Also take into account that the connection is already ssl encrypted (https protocol actually), and the connection is already pretty secure as it is (clients are authenticated by their certificate). You may consider changing the puppet default ports to 80 to bypass firewalls if that is an issue. Silviu -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.